Re: Admin for E-MAIL users only
On Sat, Jul 06, 2002 at 06:14:20PM -0400, Fraser Campbell wrote:
> On Thu, 2002-07-04 at 22:57, Russell Coker wrote:
>
> > Delegating administrative access to one tree of an LDAP directory is
> > easy. Preventing it from being used maliciously is another issue.
> > A hostile user could create a new LDAP entry with a UID of 0...
>
> But if you configure files lookups before db lookups the uid 0 entry in
> LDAP or SQL would never be used right? Snippet from /etc/nsswitch.conf:
> passwd: files mysql
> shadow: files mysql
> group: files mysql
nope.
any account with uid=0 is root. you can have multiple uid=0 accounts
in /etc/passwd or in mysql or anywhere else the system is configured to
get auth info from.
some ideas:
1. use a decent database like postgres rather than a toy like mysql and
set a trigger to prevent creation of records in your accounts table
where the uid field equals 0. i.e. the database server should reject
any such attempt itself, not rely on the client app to do the right
thing.
2. use PAM rather than nsswitch modules - that way you can configure
which services will get acct info from the database. e.g. your MTA,
local delivery agent, pop & imap daemons but NOT login, ssh, telnet,
ftp, or anything else.
nsswitch is easier and works with anything that uses standard libc calls
like getpwent() etc.
PAM is far more flexible, but more work to configure properly. also, it
only works with stuff compiled to use it (in debian, that means
basically everything. on other distributions....who knows?).
craig
--
craig sanders <cas@taz.net.au>
Fabricati Diem, PVNC.
-- motto of the Ankh-Morpork City Watch
--
To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: